FBI, Security Vendors Partner to Take Down Hacker Consortium

WEBINAR:On-Demand

Security vendors and federal law enforcement collaborated for five years to rid the world of a cyber-threat that let a criminal consortium collect millions from false advertisements.

The FBI got an assist from IT security researchers in an
operation to shut down one of the world's longest-running and most-costly
botnets that ended last week. In addition to ridding the world of one of its
more odious malware infestations, "Operation Ghost Click" also nabbed
a brazen criminal consortium of "clickjacking" hackers.

The operation resulted in the arrest of six
Estonian nationals. The hacker group infected about 4 million computers
in 100 countries, collecting about $14 million, the FBI said.

The Eshost botnet was shut down, according to researchers
with Trend Micro, which helped lead the public-private alliance. It was one of
the last remaining large-scale botnets in the wild as cyber-criminals have
begun using more targeted, smaller operations to fly under law-enforcement
radar.

The FBI and cyber-security vendors collaborated for five
years on the mission to take down the botnet, says Paul Ferguson, advanced
threats researcher for Trend Micro.

"I feel like an enormous burden was lifted because
we've been working on this for over five years," Ferguson says. "The
guys in my research group discovered what these rogue actors were doing back in
2006."

The crooks in question were part of an organization known as
the Rove group, allegedly responsible for creating the DNSChanger malware,
which replaced legitimate advertisements with fake ones on infected PCs,
effectively routing payments for user clicks to the bad guys instead of the advertisers.

"Basically they were doing ad replacement on legitimate Web properties. For instance if you went to CNN and there was originally
supposed to be an embedded ad there for Toyota or something, they would replace
it with their own ads. Because basically PCs were infected with this DNSChanger
malware that changed the DNS settings to their infrastructure, and so if the
domain was one of the ones listed in the 14,000 and 15,000 domains that they provided
rogue resolution for, they would point to their own infrastructure for like ads."

As Manhattan U.S. Attorney Preet Bharara put it, the
defendents gave new meaning to the term 'false advertising.'

"As alleged, they were international cyber-bandits who
hijacked millions of computers at will and re-routed them to Internet Websites
and advertisements of their own choosing—collecting millions in undeserved
commissions for all the hijacked computer clicks and Internet ads they fraudulently
engineered," Bharara said. "The international cyber-threat is perhaps
the most significant challenge faced by law enforcement and national security
agencies today, and this case is just perhaps the tip of the Internet iceberg.
It is also an example of the success that can be achieved when international
law enforcement works together to root out Internet crime. We are committed to
continuing our vigilance and efforts—it is essential to our national security,
our economic security and our citizens’ personal security."

In addition to running the infrastructure that powered this
operation that eventually netted the crooks $14 million, DNSChanger also helped
revolutionize the malware world, says Andrew Brandt, malware analysis expert
and director of Threat Research at forensics and network security analytics
firm, Solera Networks.

"In many ways, DNSChanger helped pioneer some of what
are now common malware techniques: It comprised a tiny payload of malware that
propagated using social-engineering techniques, rather than vulnerabilities. It
employed server-side randomization, where the payload executable was generated
on-the-fly when it was requested for download. It was the first to use DNS hijacking as a way to generate a revenue
stream. It was among the first modern, single-purpose malware families, lacking
any sophisticated downloader or backdoor capability, which kept the file sizes
small and unobtrusive," he says.

"And it was one of the first
cross-platform malware families, as the authors eventually released a variant
that functioned identically under the Mac OS as it did in Windows, even
pointing to the same DNS server ranges as the Windows versions did."

According to Ferguson, this operation could be among the
last of its kind, as cyber-criminals are changing tactics and reducing their
scope.

"There are probably only a couple more botnets
where it is this monolithic type of criminal operation," he says.
"Because what we've been seeing trending the last couple of years is
criminals have diversified their assets and compartmentalized to blend in with
the noise and not be such a big target."